This blog post shows how to use AutomatedLab to easily deploy a public key infrastructure (PKI) environment. The PKI environment will be a single server, which is installed with the certification authority (CA) role. Subsequently, you will be able to request and issue certificates to all computers and users in your lab. Also, if you want to sign Windows PowerShell scripts in the lab, a certificate can be created for this purpose.

Installation

If you have a version of AutomatedLab that is earlier than AutomatedLab 2.5, please uninstall it and install the latest version. You can find what you need on Microsoft TechNet: AutomatedLab.

Prerequisites for AutomatedLab

AutomatedLab requires Hyper-V and Windows PowerShell 3.0 (or higher). Hence, you need one of the following operating systems on the host where you want to install the lab:

Windows Server 2012 R2

Windows Server 2012

Windows 8.1

Windows 8

Note Although Windows Server 2008 R2 could work, and Windows 10 hasn’t been tested, at this time, we recommend that you use one of the listed operating systems on the host machine.

AutomatedLab scripts need to be running directly on the host where the lab environment (the virtual machines) will be created.

Prerequisites for installing a CA in the lab

The only prerequisite for the certification authority (CA) installation is that the server needs to be running Windows Server 2012 R2 or Windows Server 2012.

There are two types of certification authorities: Stand-alone or Enterprise. There are two major differences for the installation for the Enterprise CA:

It requires the server to be domain joined.

The account used during the installation of the role needs to have Domain Admin permissions.

In this post, we install an Enterprise CA.

Define the lab machines

For simplicity, we will use two machines. One machine will be become a domain controller and the other machine will become the certification authority server. The domain controller is defined as follows:

Note Refer to the previous posts in this series for details about defining machine roles.

The certification authority (like the domain controller) is a role in AutomatedLab, and this role needs to be specified when defining the lab machine. The role is selected by using the Get-LabMachineRoleDefinition cmdlet as follows:

$role = Get-LabMachineRoleDefinition -Role CaRoot

Next, the lab machine can defined using the selected role.

Add-LabMachineDefinition -Name S1CA1 `

-MemoryInMb 512 `

-Network $labNetworkName `

-IpAddress 192.168.81.11 `

-DnsServer1 192.168.81.10 `

-DomainName test1.net `

-IsDomainJoined `

-Roles $role `

-InstallationUserCredential $installationCredential `

-ToolsPath $labSources\Tools `

-OperatingSystem 'Windows Server 2012 R2 SERVERDATACENTER'

After defining the lab machines, start the installation of the lab as usual:

Export the lab definition.

Import it (which also validates the configuration and reports any errors).

Start the installation, which will create the virtual network, create base images, create virtual machines running Hyper-V, and install the roles found in the lab.

The script looks like this:

Export-LabDefinition -Force -ExportDefaultUnattendedXml

Import-Lab -Path (Get-LabDefinition).LabFilePath

Install-Lab -NetworkSwitches -BaseImages -VMs

Install-Lab -Domains

At this point, the domain controller is installed and ready. Now the installation of the certification authority needs to be started. This is done like this:

Install-Lab -CA

Notice that you do not need to instruct the Install-Lab cmdlet about how to install the CA and how it should be configured. This is done automatically.

The lab is ready with a domain controller (hosting a domain, of course) and with an Enterprise CA. You can request and issue certificates from the subordinate CA for use in your lab.

Customize the configuration of the CA

The first installation was very easy because the entire configuration is automatic when you call Install-Lab -CA. Nowlet’s try installing a PKI environment where we define some of the CA configuration. Even though the default installation will work in the majority of situations for a test lab, it could be necessary to specify certain parts of the configuration for the PKI environment.

First the current lab needs to be removed:

Remove-Lab -Path <path to the lab.xml file>

The Remove-Lab cmdlet turns off and removes the virtual machines, the disks, and the network adapter.

The domain and the domain controller need to be defined as they were previously:

$role = Get-LabMachineRoleDefinition -Role RootDC `

-Properties @{DomainFunctionalLevel = "Win2012R2"

ForestFunctionalLevel = "Win2012R2"}

Add-LabMachineDefinition -Name S1DC1 `

-MemoryInMb 512 `

-Network $labNetworkName `

-IpAddress 192.168.81.10 `

-DnsServer1 192.168.81.10 `

-DomainName test1.net `

-IsDomainJoined `

-Roles $role `

-InstallationUserCredential $installationCredential `

-ToolsPath $labSources\Tools `

-OperatingSystem 'Windows Server 2012 R2 SERVERDATACENTER'

When you define the CA, you have the option of specifying configuration parameters. Take a look at the following:

$role = Get-LabMachineRoleDefinition `

-Role CaRoot @{CACommonName = "MySpecialRootCA1"

KeyLength = “2048”

ValidityPeriod = "Weeks"

ValidityPeriodUnits = "4"}

The lab machine can be defined by using the selected role with the customized configuration. This command is the same as we used previously—only the content of the $role variable is different:

Add-LabMachineDefinition -Name S1CA1 -MemoryInMb 512 `

-Network $labNetworkName `

-IpAddress 192.168.81.11 `

-DnsServer1 192.168.81.10 `

-DomainName test1.net `

-IsDomainJoined `

-Roles $role `

-InstallationUserCredential $installationCredential `

-ToolsPath $labSources\Tools `

-OperatingSystem 'Windows Server 2012 R2 SERVERDATACENTER'

As previously, perform the actual installation of the lab by using:

Export-LabDefinition -Force -ExportDefaultUnattendedXml

Import-Lab -Path (Get-LabDefinition).LabFilePath

Install-Lab -NetworkSwitches -BaseImages -VMs

Install-Lab –Domains

Install-Lab -CA

Notice that the command for installing the CA is almost the same as we used previously. The difference is that now the parameters specified in the Role parameter will be passed to the CA installation code.

This time, the lab is ready with a domain controller (hosting a domain, of course) and with an Enterprise CA configured by using our customized parameters.

To see all the parameters that are possible to specify when you install a CA server in AutomatedLab, you can type the following:

Get-Help Install-LWLabCAServers -Parameter *

Or to see only the names of the parameters (without the detailed information), type:

(Get-Command Install-LWLabCAServers).Parameters.Keys

Note Changing the parameters for the CA servers requires that you know about how the corresponding configuration parameters for CA servers are working. Hence, it is only recommended to customize parameters if you know about the PKI and have the need to customize parameters.

Supported PKI configurations in AutomatedLab

AutomatedLab supports one-tier and two-tier deployments for the PKI. This means that you can solely deploy a root CA, or you can deploy a root CA with a subordinate CA to this root CA.

AutomatedLab supports only PKI deployments in the same Active Directory forest. That is, deployment of a root CA in one Active Directory forest and a subordinate CA in another Active Directory forest is not supported.

Use the CA in the lab

Now that your CA server is set up, you can request a certificate for a user, request a certificate for a computer, or configure automatic enrollment.

Request a certificate for a user

To make a manual request, we can use the Web Enrollment interface on the CA server. Open a browser on the CA server, and type http://localhost/CertSrv. The following website is displayed:

Open Internet Options, and on the Security tab, click Custom level, and Enable the setting called Initialize and script ActiveX controls not marked as safe for scripting.

7. To see the certificate listed, select Certificates - Current User\Personal\Certificates.

8. Double-click the certificate name.

Congratulations! You now have a user certificate issued to contoso\Administrator installed locally on the CA server.

Request a certificate for a computer

It is also possible to request certificates for computers. We will make a manual request by using the certificates console on the CA server.

On the CA server, press Windows key + R, type mmc, and press ENTER.

Click the File menu, and then click Add/Remove Snap-in.

Click Certificates, and click on Add.

4. Select Computer account and click Next.

5. Click Finish. The root CA (license to be a certification authority) is present.

6. Under Certificates (Local Computer), double-click the Personal folder, right-click the Certificates folder, and click All Tasks, and then click Request New Certificate.

7. Click Next on the next two screens that appear.

8. Select the check box next to Computer,and click Enroll.

9. Click Details, and then click View Certificate.

Congratulations! Now you have issued a computer certificate for the CA server!

Enable automatic enrollment of certificates

Issuing the user and computer certificates was good fun. However, it will not be so much fun if you deploy a lab with 10+ computers and 50+ users and you need to enroll 60 certificates manually! Instead, you can configure automatic enrollment by following these steps.

#the second will be a member server configured as Root CA server. Everything in $labSources\Tools get copied to the machine's Windows folder

$role = Get-LabMachineRoleDefinition -Role CaRoot

Add-LabMachineDefinition -Name S1CA1 `

-MemoryInMb 512 `

-IsDomainJoined `

-DomainName test1.net `

-Network $labName `

-IpAddress 192.168.81.20 `

-DnsServer1 192.168.81.10 `

-InstallationUserCredential $installationCredential `

-ToolsPath $labSources\Tools `

-OperatingSystem 'Windows Server 2012 R2 SERVERDATACENTER' `

-Roles $role

#This all has created the lab configuration in memory. Next step is to export it to XML. You could have made the

#lab definitions in XML as well or can do modifications in the XML if this seems easier.

Export-LabDefinition -Force -ExportDefaultUnattendedXml

#Set trusted hosts to '*' and enable CredSSP

Set-LabHostRemoting

#Now the XML files needed to be reimported. Some basic checks are done for duplicate IP addresses, machine names, domain

#membership, etc. If this reports errors please run "Test-LabDefinition D:\LabSettings\Lab.xml" for more information

Import-Lab -Path (Get-LabDefinition).LabFilePath

#Now the actual work begins. First the virtual network adapter is created and then the base images per OS

#All VMs are diffs from the base.

Install-Lab -NetworkSwitches -BaseImages -VMs

#This sets up all domains / domain controllers

Install-Lab -Domains

#Install CA server(s)

Install-Lab -CA

#Start all machines what have not yet started

Install-Lab -StartRemainingMachines

$end = Get-Date

Write-Host "Setting up the lab took $($end - $start)"

What’s next?

The next post describes how to install a typical PKI hierarchy the way it is typically set up in production. This means there will be two CAs—one Stand-alone (the root CA) and one Enterprise (the subordinate CA).